Target Breach: Credit Union Lessons Learned

The Target credit and debit card data breach keeps getting uglier, with the retailer admitting Friday that 70 million more shoppers had their information compromised. Pilfered data now may include phone numbers, mailing addresses and more in addition to magnetic stripe data.

In most cases it will be the card issuers - that is, credit unions and banks – that will cover losses from the use of the purloined credit card info by crooks, said Nicole Reyes, senior fraud prevention analyst with The Members Group in Des Moines, Iowa.

Connie Trudgeon, vice president of operations at CO-OP Financial Services in Rancho Cucamonga, Calif., said that many credit unions felt angry, frustrated and powerless as they anticipated losses mounting. She added that the Target breach was responsible for 27% of all the fraud CO-OP was currently seeing in its system, and that immensity underlined the dark mood in many credit unions.

But then there is another viewpoint, where at least some credit unions actively dove into loss mitigation efforts as soon as they heard about the Target breach. In those cases, the mood is strikingly different.

These institutions say that, yes, they have incurred significant costs, mainly in manpower and in reissuing impacted credit and debit cards. But, they also say that their actual fraud losses may be negligible.

How did they do it?

Read more: Michigan First Credit Union reports no losses ...

At the $662 million Michigan First Credit Union in Lathrup Village, Mich., CEO Michael Poulos said as of the first week of January total fraud losses involving his members and their cards stood at $0. Not a cent had been lost and, said Poulos, that is because Michigan First took fast action.

“We did not wait to hear from CO-OP and PSCU,” Poulos said about Michigan First’s card processors that relay fraud information from Mastercard and Visa. “We did our own search of member transactions as soon as we heard about the breach.”

Michigan First quickly identified approximately 1,500 members who had shopped at Target during the period when criminals were apparently intercepting records.

“We found 500 credit cards and 1,000 debit cards,” Poulos said.

Michigan First immediately canceled them. Because the credit union prints debit cards in house, he said, replacement was very fast, and in some cases, the credit union hand delivered the card to the member.

With credit cards, Michigan First uses a third party to manufacture the cards, but to speed things up, offered free overnight shipping, Poulos said.

He added that although fraud losses stood at $0, the average card replacement cost incurred by Michigan First was around $40 to $45.

Asked if he feared a reputation loss by Michigan First due to the breach, news stories about fraud, and inconveniences to members who had cards replaced, Poulos vigorously demurred.

“I believe we will enjoy a reputation gain, not a loss,” he said. “Our members have been very appreciative. They know we are looking out for their best interest.”

Poulos’ take-away from all this was that Michigan First controlled losses because it had a process in place.

“We have a team in place to respond to these kinds of incidents,” he said. “We try to figure out what is true. You never get the full story right away.”

“Sometimes you don’t need to do anything,” Poulos added. “As soon as we found out our members’ cards needed to be replaced, we contacted them and let them know. You have to focus on the right questions and, for us, it was what do we need to do to protect our members? That made it easy to see what to do.”

Read more: Gesa Credit Union was prepared for breach ...

Over at the $1.2 billion Gesa Credit Union in Richland, Wash., Jeff Gegen, vice president of product and risk management, said Gesa has had close to zero losses and was very well prepared for the breach.

Gegen explained that Gesa had invested in robust analytical tools that let the institution identify which member cards were at risk days before it got lists from Visa and Mastercard.

Gesa chose to reissue some member cards, to stay on the safe aide, Gegen said. But for most members, the institution implemented strategic blocks on certain kinds of transactions known to be high risk or to occur in high risk geographies.

An example, he said, is if a member lives in Washington State and is known to have shopped at Target, and suddenly seeks to purchase a large gift card in New York City, a town where Gesa said he has frequently seen fraud before.

Unless that member had a history of similar gift card purchases, that transaction almost certainly would be denied at point of sale, Gegen said.

“Our tools interrogate every transaction and where there are concerns, we deny it at retail,” he said.

Gegen added that, increasingly, Gesa is involving our members in fraud monitoring and asks them to sign up for SMS alerts. Gesa advised some concerned members to set up alerts that inform them of every transaction on their credit or debit cards, as they happen.

“We believe the more we involve members in fraud monitoring, the more we will stop it,” he said.

He added that, between the analytical and monitoring tools and heightened member involvement, “it’s truly amazing how much fraud we have stopped.”

Read more: Affinity Credit Union reports only $1,600 known losses ...

At Basking Ridge, N.J.-based Affinity Federal Credit Union, the $2.2 billion institution was among the first to jump into action, sending out a mass email about the breach to members on Dec. 19, the same day Target officially acknowledged the breach.

CEO John Fenton said that “we got early, heavy call volume,” as concerned members reacted to news reports and the institution’s email blast, as well as a notice on its website about Target.

But the plus for Affinity, which did “heavy analysis” of member transactions to identify those most likely to be compromised, is that its known losses presently stand at just $1,600.

“We replaced 6,500 cards,” Fenton said, who added that the expense of the reissue was much higher than the losses.

He added that there really isn’t much individual credit unions can do to prevent these kind of events.

“It is entirely in the merchants’ hands,” he said. “However, there is always room for communication with your members to make them aware of the issues and how they need to pay attention to their account.”

More broadly, experts identified multiple steps credit unions can take to be better prepared for the next breach. And, they agreed, there will be a next time.

In regard to mitigation, CO-OP’s Trudgeon said credit unions need to be more vigilant and to act quickly as they learn about breaches.

“In general, many credit unions do not have a written plan for dealing with breaches and they need one,” she said.

That plan, she elaborated, needs to identify what executives are involved, how they are involved, and should be as precise as a plan for handling an armed robbery or branch fire.

“You need to be able to act quickly, that is key,” said Ken Westin, security researcher for Tripwire, a security firm with credit union clients. “React quickly, using fraud analysis technologies. That’s what a credit union can and needs to do. That’s how to minimize losses.”